[resolved] wp-includes/query.php modified - hacked (3 posts)

  1. falshiw
    Posted 3 years ago #

    sorry if I write this in the wrong section.

    This is my first post and I'm only writing it, because I spend 6 hours trying to find how the hell a site was hacked. Finally I found what is wrong and I want to share it.
    I couldn't find any similar case anywhere (can't say I tried very hard)

    Problem was that in the footer of every front end page, there was short script and invisible link to onlineroulette-reviews.com

    [hacked code removed - please do not post that here]

    I tried disabling plugins, searching for some of the strings in wordpress files but to no results.
    Couldn't find anything in the database also.

    I notice that removing wp_footer() from footer.php fixes the problem, but that wasn't good enough because there were some needed functions there.

    One of the functions was "check_wp_load", which was very strange and I was unable to find what added it. Trying to remove it also didn't work.

    Long story short, after several nerving hours, I found the problem.
    Someone added in the beginning of query.php these lines

    [hacked code removed - please do not post that here]

    I don't have logs to find the hacker, neither I know when that happened. Don't have the time to investigate. I just hope that if someone else have this problem, will find this post and save himself some time.

    sorry for bad English :)

  2. WPyogi
    Forum Moderator
    Posted 3 years ago #

  3. falshiw
    Posted 3 years ago #

    Thank you for the info.
    I've checked everything I could find using these resources.
    I couldn't find other threats.
    Seems like this modification was before year 2012 and even after several updates of wordpress survived in this file - query.php

Topic Closed

This topic has been closed to new replies.

About this Topic